MegaLab.it

Inviato: **mar ott 21, 2008 1:02 pm**

anch'io ho preso un bel virus bagle (credo) e sto seguendo la vostra guida ma non sono espertissimo e non voglio fare danni ulteriori.
Ho fatto la scansione (rootkit/malware e Autostart) ed ora ho scaricato Avenger ma non so quale script incollargli.
Questo è il log della sezione rootkit

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-21 14:00:38
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF843F0B0]
SSDT sptd.sys ZwEnumerateKey [0xF844484C]
SSDT sptd.sys ZwEnumerateValueKey [0xF8444BEC]
SSDT sptd.sys ZwOpenKey [0xF843F090]
SSDT \??\C:\Programmi\ewido\security suite\guard.sys ZwOpenProcess [0xF8C7768C]
SSDT sptd.sys ZwQueryKey [0xF8444CC4]
SSDT sptd.sys ZwQueryValueKey [0xF8444B44]
SSDT sptd.sys ZwSetValueKey [0xF8444D56]
SSDT \??\C:\Programmi\ewido\security suite\guard.sys ZwTerminateProcess [0xF8C77604]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.
.text USBPORT.SYS!DllUnload F77B762C 5 Bytes JMP 82D7A1B8
? C:\WINDOWS\system32\drivers\rphosj.sys Impossibile trovare il file specificato. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8453580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F845352C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F846DAB8] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F8453580] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F843FABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F843FC00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F843FB82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F844072E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F8440604] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8452B9A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82FD21D8
Device \FileSystem\Udfs \UdfsCdRom FF306980
Device \FileSystem\Udfs \UdfsDisk FF306980

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 82D3E1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F681D8
Device \Driver\dmio \Device\DmControl\DmConfig 82F681D8
Device \Driver\dmio \Device\DmControl\DmPnP 82F681D8
Device \Driver\dmio \Device\DmControl\DmInfo 82F681D8
Device \Driver\usbohci \Device\USBPDO-1 82D3E1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{36EC9AD7-5907-4C08-9E92-87C78387923D} FF2BE1D8
Device \Driver\usbehci \Device\USBPDO-2 82D271D8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 82FD51D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82FD51D8
Device \Driver\Cdrom \Device\CdRom0 82D12520
Device \Driver\Ftdisk \Device\HarddiskVolume3 82FD51D8
Device \Driver\Cdrom \Device\CdRom1 82D12520
Device \Driver\NetBT \Device\NetBt_Wins_Export FF2BE1D8
Device \Driver\NetBT \Device\NetbiosSmb FF2BE1D8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbohci \Device\USBFDO-0 82D3E1D8
Device \Driver\usbohci \Device\USBFDO-1 82D3E1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF296878
Device \Driver\usbehci \Device\USBFDO-2 82D271D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector FF296878
Device \Driver\Ftdisk \Device\FtControl 82FD51D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E0C7EFDF-FD8F-4F40-B422-8EF7D6430EED} FF2BE1D8
Device \Driver\si3112r \Device\Scsi\si3112r1Port0Path1Target0Lun0 82F671D8
Device \Driver\si3112r \Device\Scsi\si3112r1Port0Path0Target0Lun0 82F671D8
Device \Driver\si3112r \Device\Scsi\si3112r1 82F671D8
Device \FileSystem\Cdfs \Cdfs FEB494C8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -889211946
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -2046599505
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x40 0xA3 0x8C 0xAA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x40 0xA3 0x8C 0xAA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x48 0x47 0xB8 0xAD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.14 ----

e questo della sezione Autostart

GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-10-21 14:01:41
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk /k:d * /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
fsmgmt@DLLName = fsmgmt.dll
WgaLogon@DLLName = WgaLogon.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Autodesk Licensing Service@ = "C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe"
AvidSDMService@ = system32\AvidSDMService.exe
AvidStartup@ = system32\AvidStartup.exe
Creative Service for CDROM Access@ = C:\WINDOWS\System32\CTsvcCDA.exe
cryptex@ = C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe /*file not found*/
DigiRefresh@ = C:\Programmi\Digidesign\Drivers\MMERefresh.exe -s
EngineServer@ = "C:\Programmi\McAfee\Managed VirusScan\VScan\EngineServer.exe"
McAfee HackerWatch Service@ = "C:\Programmi\File comuni\McAfee\HackerWatch\HWAPI.exe"
mi-raysat_3dsmax9_32@ = "C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
MpfService@ = C:\Programmi\McAfee\MPF\MPFSrv.exe
myAgtSvc@ = "C:\Programmi\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SiteAdvisor Service@ = C:\Programmi\SiteAdvisor\6173\SAService.exe
SLService@ = slserv.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
WMDM PMSP Service@ = C:\WINDOWS\System32\MsPMSPSv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@RemoteCenter /*file not found*/ = /*file not found*/
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@SBDrvDetC:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r /*file not found*/ = C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r /*file not found*/
@CTSysVolC:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r /*file not found*/ = C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r /*file not found*/
@CTDVDDETC:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE = C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
@MVS Splash"C:\Programmi\McAfee\Managed VirusScan\Agent\Splash.exe" = "C:\Programmi\McAfee\Managed VirusScan\Agent\Splash.exe"
@McAfee Managed Services Tray"C:\Programmi\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" = "C:\Programmi\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@nwiznwiz.exe /install = nwiz.exe /install
@MimBootC:\Programmi\MUSICMATCH\mimboot.exe = C:\Programmi\MUSICMATCH\mimboot.exe
@mm_serverC:\Programmi\MUSICMATCH\mm_server.exe = C:\Programmi\MUSICMATCH\mm_server.exe
@PhilipsRemoteC:\Programmi\MUSICMATCH\PhilipsRemote.exe = C:\Programmi\MUSICMATCH\PhilipsRemote.exe
@Adobe Photo Downloader"C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@emMONemMON.exe = emMON.exe
@DigidesignMMERefreshC:\Programmi\Digidesign\Drivers\MMERefresh.exe = C:\Programmi\Digidesign\Drivers\MMERefresh.exe
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@Noun Date Rule AxisC:\Documents and Settings\All Users\Dati applicazioni\blue shim axis memo\Fork manager file.exe /*file not found*/ = C:\Documents and Settings\All Users\Dati applicazioni\blue shim axis memo\Fork manager file.exe /*file not found*/
@USRobotics USB Internet Mini Phone"C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe" = "C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe"
@USRobotics USB Internet Mini Phone Control Panel"C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USB Internet Mini Phone UI.exe" = "C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USB Internet Mini Phone UI.exe"
@SunJavaUpdateSched"C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" = "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
@SiteAdvisorC:\Programmi\SiteAdvisor\6173\SiteAdv.exe = C:\Programmi\SiteAdvisor\6173\SiteAdv.exe
@ASocksrvSocksA.exe el = SocksA.exe el
@QuickTime Task"C:\Programmi\QuickTime\QTTask.exe" -atboottime = "C:\Programmi\QuickTime\QTTask.exe" -atboottime
@MS32DLLC:\WINDOWS\MS32DLL.dll.vbs = C:\WINDOWS\MS32DLL.dll.vbs
RunServices@SchedulingAgent = C:\WINDOWS\system32\mstask.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@RemoteControl /*file not found*/ = /*file not found*/
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" /*file not found*/ = "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" /*file not found*/
@RemoteCenterC:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe /*file not found*/ = C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe /*file not found*/
@SurfbyteC:\DOCUME~1\Draperi\DATIAP~1\STYLEC~1\JumpCake.exe /*file not found*/ = C:\DOCUME~1\Draperi\DATIAP~1\STYLEC~1\JumpCake.exe /*file not found*/
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/ = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background /*file not found*/
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{54D9498B-CF93-414F-8984-8CE7FDE0D391} = C:\Programmi\ewido\security suite\shellhook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll /*file not found*/ = dskquoui.dll /*file not found*/
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\System32\hticons.dll /*file not found*/ = C:\WINDOWS\System32\hticons.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{0006F045-0000-0000-C000-000000000046} /**/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{20082881-FC36-4E47-9A7A-644C95FF749F} /*IntelliPoint Wireless Control Panel Property Page*/"C:\Programmi\Microsoft IntelliPoint\ipcplwir.dll" = "C:\Programmi\Microsoft IntelliPoint\ipcplwir.dll"
@{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} /*IntelliPoint Wheel Control Panel Property Page*/"C:\Programmi\Microsoft IntelliPoint\ipcplwhl.dll" = "C:\Programmi\Microsoft IntelliPoint\ipcplwhl.dll"
@{653DCCC2-13DB-45B2-A389-427885776CFE} /*IntelliPoint Activities Control Panel Property Page*/"C:\Programmi\Microsoft IntelliPoint\ipcplact.dll" = "C:\Programmi\Microsoft IntelliPoint\ipcplact.dll"
@{124597D8-850A-41AE-849C-017A4FA99CA2} /*IntelliPoint Buttons Control Panel Property Page*/"C:\Programmi\Microsoft IntelliPoint\ipcplbtn.dll" = "C:\Programmi\Microsoft IntelliPoint\ipcplbtn.dll"
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Autodesk.DWF.ContextMenu@{6C18531F-CA85-45F7-8278-FF33CF0A5964} = C:\Programmi\File comuni\Autodesk Shared\dwf Common\DWFShellExtension.dll
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido\security suite\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido\security suite\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll /*file not found*/ = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll /*file not found*/
@{089FD14D-132B-48FC-8861-0048AE113215}C:\Programmi\SiteAdvisor\6173\SiteAdv.dll = C:\Programmi\SiteAdvisor\6173\SiteAdv.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll = C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
myrm@CLSID = C:\Programmi\McAfee\Managed VirusScan\Agent\MyRmProt4.7.0.538.dll
siteadvisor@CLSID = C:\Programmi\SiteAdvisor\6173\SiteAdv.dll
skype4com@CLSID = C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E0C7EFDF-FD8F-4F40-B422-8EF7D6430EED} /*Connessione alla rete locale (LAN) 5*/ >>>
@IPAddress192.168.8.2 = 192.168.8.2
@NameServer =
@DefaultGateway192.168.8.1 = 192.168.8.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Programmi\NewDotNet\newdotnet6_98.dll /*file not found*/

C:\Documents and Settings\Draperi\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Pinnacle Scheduler.lnk = Pinnacle Scheduler.lnk

---- EOF - GMER 1.0.14 ----

spero di aver fatto le cose correttamente e che qualcuno mi possa essere di aiuto.
nel frattempo: grazie per l'ottima guida!

Inviato: **mar ott 21, 2008 1:20 pm**

Non ci sono tracce di Bagle, anche perché se ci fosse, GMEr non si sarebbe avviato. Quali sono i tuoi problemi?

Inviato: **mar ott 21, 2008 2:01 pm**

ah ecco....
non so più cosa stia succedendo.

in pratica parecchie volte il computer si riavvia da solo, spesso appena lo accendo mi viene scritto:

ARRESTO DEL SISTEMA
Il sistema sta per essere arrestato. salvare tutto il lavoro e chiudere la sessione. Tutte le modifiche non salvate andranno perse. L'arresto è stato iniziato da NT AUTHORITY/SYSTEM.
tempo rimasto allo spegnimento (conto alla rovescia...)
MESSAGGIO : è necessario riavviare WINDOWS perché il servizio RPC (Remote Procedure Call) è terminato in modo imprevisto.

Come antivirus ho Mcafee Total Protection regolarmente acquistato e aggiornato, ma è sparito dalla delle applicazioni e se provo a fare la scansione su un disco fisso non parte e mi dice Memoria infetta/ scansione interrotta.
Perlopiù anche Task Manager è sparito e se premo Ctrl+Alt+Canc mi dice che la funzione è stata disattivata dall'amministratore.

Così ho iniziato il mio pellegrinaggio nei forum e ho provato di tutto. In alcuni posti mi diceva che si tratta di un vecchio virus chiamato Blaster e che devo installare una patch per windows ma ci ho provato (seguendo passo passo) e mi dice che non può perché la mia versione di windows è service pack 2 (se non sbaglio). Poi su qualche altro sito mi ha fatto fare una scansione con Stinger che si appoggiava a Mcafee e quello mi ha trovato tantissimi files exe infettati da un virus di nome chiamato W 32 Salty (se non sbaglio) ma non so se di fatto mi ha ripultio qualcosa o no. Poi ho tentato la via degli antivirus su internet ma niente nessuna di quelle pagine mi si apre e così seguendo altri indizi ho trovato la vostra guida per rimuovere il virus Bagle che disattiva tutti gli antivirus e non vi permette di scaricarne altri.
Così ho pensato (sperato) di avere quello...

e invece?

spero di essere stato abbastanza preciso.
grazie

Inviato: **mar ott 21, 2008 8:02 pm**

@ aitalus

Scarica OtMoveIt3, avvialo ed assicurati che la voce Unregister Dll's and Ocx's sia spuntata.
Nello spazio bianco sotto alla voce Paste Instructions for items to be Moved incolla seguente script e clicca su MoveIt!:

Codice: Seleziona tutto: :files C:\WINDOWS\system32\drivers\rphosj.sys C:\WINDOWS\SYSTEM32\fsmgmt.dll C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe C:\WINDOWS\MS32DLL.dll.vbs C:\MS32DLL.dll.vbs C:\autorun.inf :reg [-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fsmgmt] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Noun Date Rule Axis"=- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "MS32DLL"=- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "RunServices"=- :services cryptex :processes MS32DLL :commands [purity] [emptytemp]

Il log dell'operazione verrà salvato nella cartella C:\_OtMoveIt\MovedFiles sotto la forma del file [nome_e_data].LOG
Copia il suo contenuto ed inseriscilo qui.

Dopo scarica il ComboFix da qui ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.

Inviato: **mer ott 22, 2008 5:20 pm**

Ecco qua il log di OtMoveIt

========== FILES ==========
File/Folder C:\WINDOWS\system32\drivers\rphosj.sys not found.
File/Folder C:\WINDOWS\SYSTEM32\fsmgmt.dll not found.
File/Folder C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe not found.
File/Folder C:\WINDOWS\MS32DLL.dll.vbs not found.
File/Folder C:\MS32DLL.dll.vbs not found.
File/Folder C:\autorun.inf not found.
File/Folder :reg not found.
File/Folder [-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fsmgmt] not found.
File/Folder [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] not found.
File/Folder Noun Date Rule Axis"= not found.
File/Folder [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] not found.
File/Folder MS32DLL"= not found.
File/Folder [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] not found.
File/Folder RunServices"= not found.
File/Folder :services not found.
File/Folder cryptex not found.
File/Folder :processes not found.
File/Folder MS32DLL not found.
File/Folder :commands not found.
File/Folder [purity] not found.
File/Folder [emptytemp] not found.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10222008_171848

e quello di ComboFix

ComboFix 08-10-19.01 - Draperi 2008-10-22 17:47:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.198 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Draperi\Documenti\skaricata\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\tel.xls.exe
C:\WINDOWS\backinf.tab
C:\WINDOWS\Downloaded Program Files\4bf69lm
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pp.exe
C:\WINDOWS\session.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\filekan.exe
C:\WINDOWS\system32\socksa.exe
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\ufdata2000.log
D:\Autorun.inf
D:\MS32DLL.dll.vbs
D:\tel.xls.exe
E:\Autorun.inf
E:\MS32DLL.dll.vbs
E:\tel.xls.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr
-------\Legacy_ASC3360PR
-------\Service_asc3360pr

((((((((((((((((((((((((( Files Creati Da 2008-09-22 al 2008-10-22 )))))))))))))))))))))))))))))))))))
.

2008-10-22 17:16 . 2008-10-22 17:16 <DIR> d-------- C:\_OTMoveIt
2008-10-21 12:38 . 2008-10-21 19:59 250 --a------ C:\WINDOWS\gmer.ini
2008-10-21 10:23 . 2008-10-21 10:23 <DIR> d-------- C:\Programmi\KB824146Scan
2008-10-20 12:13 . 2008-10-20 12:13 <DIR> d-------- C:\DiskTemp
2008-10-19 11:13 . 2008-10-19 11:13 0 --a------ C:\c851
2008-10-17 09:03 . 2008-10-17 09:03 0 --a------ C:\d13a
2008-10-16 12:03 . 2008-10-16 12:03 <DIR> d-------- C:\Programmi\File comuni\Apple
2008-10-16 12:01 . 2008-10-16 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-10-16 11:30 . 2008-10-16 11:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-16 11:30 . 2008-10-16 11:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-16 10:56 . 2008-10-16 11:20 <DIR> d-------- C:\Programmi\Autodesk
2008-10-14 13:46 . 2008-10-14 13:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-10-14 11:45 . 2008-10-18 18:43 <DIR> d-------- C:\Programmi\Panda Security
2008-10-14 11:16 . 2008-10-14 11:16 <DIR> d-------- C:\Documents and Settings\Draperi\Dati applicazioni\Malwarebytes
2008-10-14 11:16 . 2008-10-14 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 18:47 --------- d-----w C:\Documents and Settings\Draperi\Dati applicazioni\Skype
2008-10-21 18:47 --------- d-----w C:\Documents and Settings\Draperi\Dati applicazioni\foobar2000
2008-10-21 16:32 --------- d-----w C:\Programmi\eMule
2008-10-21 09:54 90,112 -c--a-w C:\WINDOWS\unvise32.exe
2008-10-21 09:54 301,568 -c--a-w C:\WINDOWS\unin0410.exe
2008-10-21 09:52 229,376 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-10-21 09:52 1,593,344 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-10-21 09:49 1,392,640 ----a-w C:\WINDOWS\system32\AvidStartup.exe
2008-10-21 09:43 307,712 ----a-w C:\WINDOWS\IsUn0410.exe
2008-10-21 09:43 306,688 ----a-w C:\WINDOWS\IsUninst.exe
2008-10-21 09:36 202,240 ---ha-w C:\setup95.exe
2008-10-21 09:36 162,304 ----a-w C:\UNWISE.EXE
2008-10-19 09:13 --------- d-----w C:\Programmi\The FilmMachine
2008-10-18 16:49 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-10-18 16:49 --------- d-----w C:\Programmi\Ulead Systems
2008-10-18 16:49 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-10-18 16:49 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-10-18 16:47 --------- d-----w C:\Programmi\Rio
2008-10-18 16:45 --------- d-----w C:\Programmi\CyberLink
2008-10-18 16:43 --------- d-----w C:\Programmi\Womble MPEG Editor
2008-10-18 16:42 --------- d-----w C:\Programmi\Download Express
2008-10-18 16:36 --------- d-----w C:\Programmi\Exact Audio Copy
2008-10-18 16:34 --------- d-----w C:\Programmi\SlySoft
2008-10-18 16:32 --------- d-----w C:\Programmi\eMule AdunanzA
2008-10-17 19:50 --------- d-----w C:\Programmi\MUSICMATCH
2008-10-16 16:52 --------- d-----w C:\Programmi\3dsmax6
2008-10-16 10:04 --------- d-----w C:\Programmi\QuickTime
2008-10-16 10:01 --------- d-----w C:\Programmi\Apple Software Update
2008-10-16 09:21 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Autodesk
2008-10-16 09:19 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2008-10-14 19:25 --------- d-----w C:\Programmi\XviD
2008-10-14 16:22 --------- d-----w C:\Programmi\Stampa Copertine
2008-10-07 14:26 --------- d-----w C:\Programmi\Google
2008-10-05 14:49 --------- d-----w C:\Documents and Settings\Draperi\Dati applicazioni\SiteAdvisor
2008-09-10 05:11 --------- d-----w C:\Programmi\TimeLeft3
2008-06-04 21:34 30,544 ----a-w C:\Documents and Settings\Draperi\hkrahcbw.exe
2008-06-04 21:33 30,544 ----a-w C:\Documents and Settings\Draperi\qhcejbeb.exe
2008-03-20 13:09 86,070 ----a-w C:\Programmi\mozilla firefox\plugins\pthreadVC2.dll
2008-03-20 13:09 1,516,280 ----a-w C:\Programmi\mozilla firefox\plugins\RineraProxy.dll
2003-12-23 09:00 32 -csha-w C:\WINDOWS\{4E325F25-7691-4B9C-A297-B9E8A5DB2AD4}.dat
2003-12-23 09:00 32 --sha-w C:\WINDOWS\system32\{EDBA4E81-71F5-43D0-955F-61020DA7C43C}.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-17 7561216]
"SBDrvDet"="C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe" [2008-10-21 114688]
"CTSysVol"="C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Programmi\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 114688]
"MVS Splash"="C:\Programmi\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-10-21 536576]
"McAfee Managed Services Tray"="C:\Programmi\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-23 169280]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"MimBoot"="C:\Programmi\MUSICMATCH\mimboot.exe" [2004-12-10 11776]
"mm_server"="C:\Programmi\MUSICMATCH\mm_server.exe" [2004-12-10 180224]
"PhilipsRemote"="C:\Programmi\MUSICMATCH\PhilipsRemote.exe" [2008-10-21 823296]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 135168]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-10-21 320512]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-10-21 229376]
"DigidesignMMERefresh"="C:\Programmi\Digidesign\Drivers\MMERefresh.exe" [2006-02-15 61440]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-17 86016]
"USRobotics USB Internet Mini Phone"="C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe" [2006-06-07 338432]
"USRobotics USB Internet Mini Phone Control Panel"="C:\Programmi\U.S. Robotic\USB Internet Mini Phone\USB Internet Mini Phone UI.exe" [2006-06-07 2115584]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SiteAdvisor"="C:\Programmi\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-10-21 C:\WINDOWS\system32\nwiz.exe]
"emMON"="emMON.exe" [2006-05-30 C:\WINDOWS\emMON.exe]

C:\Documents and Settings\Draperi\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 195584]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Pinnacle Scheduler.lnk - C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [2008-01-11 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave4"= audpci40.dll
"midi2"= audpci40.dll
"mixer1"= audpci40.dll
"aux"= audpci40.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= PCLEPIM1.dll
"msacm.divxa32"= DivXa32.acm
"vidc.dvsd"= pdvcodec.dll
"Msacm.dvacm"= C:\PROGRA~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"MIDI5"= diomidi.dll
"wave10"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programmi\\File comuni\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"C:\\WINDOWS\\system32\\netsh.exe"=
"C:\\WINDOWS\\system32\\AvidStartup.exe"=
"C:\\WINDOWS\\system32\\nwiz.exe"=
"C:\\Programmi\\TechSmith\\Camtasia Studio\\CamRecorder.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"C:\\Programmi\\MUSICMATCH\\MMDiag.exe"=
"C:\\Programmi\\McAfee\\Managed VirusScan\\Agent\\Splash.exe"=
"C:\\Programmi\\Pinnacle\\Shared Files\\Programs\\Scheduler\\PCLEScheduler.exe"=
"C:\\Programmi\\SiteAdvisor\\6173\\SiteAdv.exe"=
"C:\\Programmi\\MUSICMATCH\\mimboot.exe"=
"C:\\Programmi\\Creative\\SB Drive Det\\SBDrvDet.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpHost.exe"=
"C:\\Programmi\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=
"C:\\Programmi\\MUSICMATCH\\mm_server.exe"=
"C:\\WINDOWS\\system32\\userinit.exe"=
"C:\\Programmi\\Microsoft Office\\Office\\WINWORD.EXE"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=
"C:\\Programmi\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"C:\\Programmi\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Programmi\\Autodesk\\Backburner\\manager.exe"=
"C:\\Programmi\\Autodesk\\Backburner\\server.exe"=
"C:\\Programmi\\MUSICMATCH\\mim.exe"=
"C:\\Programmi\\McAfee\\Managed VirusScan\\Agent\\StartMyagtTry.exe"=
"C:\\Documents and Settings\\Draperi\\Documenti\\skaricata\\WindowsXP-KB823980-x86-ITA.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=
"C:\\Programmi\\iTunes\\iTunesHelper.exe"=
"C:\\WINDOWS\\emMON.exe"=
"C:\\Programmi\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"4711:TCP"= 4711:TCP:emule
"4672:UDP"= 4672:UDP:emule
"6881:TCP"= 6881:TCP:azureus TCP 1
"6881:UDP"= 6881:UDP:azureus UDP
"6969:TCP"= 6969:TCP:azureus TCP 2

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-10-16 84529]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 10240]
R1 ewido security suite driver;ewido security suite driver;C:\Programmi\ewido\security suite\guard.sys [2004-11-22 3072]
R2 EngineServer;EngineServer;C:\Programmi\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 14144]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2003-03-05 15840]
R3 CX88xIR;Hauppauge WinTV 88x Video (+IR);C:\WINDOWS\system32\drivers\hcw88vid.sys [2003-02-03 439032]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;C:\WINDOWS\system32\Drivers\hcw88rc5.sys [2003-02-04 17345]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2003-02-03 143165]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2003-02-03 23212]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 6400]
S0 eisxtqho;eisxtqho;C:\WINDOWS\system32\drivers\deshwqj.sys [ ]
S2 cryptex;Crittografia estesa;C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe [ ]
S2 myAgtSvc;Servizio di protezione antivirus e antispyware di McAfee;C:\Programmi\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-23 243008]
S3 ACCSKMD;Canon Camera Storage Device;C:\WINDOWS\system32\DRIVERS\accskmd.sys [2004-02-25 32640]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2008-10-21 1527808]
S3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-03 129535]
S3 USB28xxBGA;USB 2860 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-09-12 292864]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-08-22 7168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4de9dcbd-759e-11dd-971d-00265415074e}]
\shell\Autoplay\comMaNd - H:\lsdsa.exe
\shell\AutoRun\command - H:\lsdsa.exe
\shell\exPlORe\commaND - H:\lsdsa.exe
\shell\oPeN\cOmManD - H:\lsdsa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b443fa5-6f23-11dd-970c-00265415074e}]
\Shell\AutopLay\cOmmanD - H:\vbpso.cmd
\Shell\AutoRun\command - H:\vbpso.cmd
\Shell\EXploRe\COmmand - H:\vbpso.cmd
\Shell\OPeN\CoMMaND - H:\vbpso.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{837c0810-914c-11dd-b13f-00265415074e}]
\shelL\AutoplaY\cOmmAnD - H:\xhqiss.pif
\shelL\AutoRun\command - H:\xhqiss.pif
\shelL\EXplore\CoMmAND - H:\xhqiss.pif
\shelL\opEn\CoMmaND - H:\xhqiss.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b41c3aec-c356-11dc-961f-00265415074e}]
\sHelL\autOpLaY\coMmand - H:\kcifeb.pif
\sHelL\AutoRun\command - H:\kcifeb.pif
\sHelL\eXPloRe\CoMmaNd - H:\kcifeb.pif
\sHelL\open\commAnD - H:\kcifeb.pif

*Newly Created Service* - ASC3360PR
.
Contenuto della cartella 'Scheduled Tasks'

2008-10-22 C:\WINDOWS\Tasks\ACE81839942F8AA5.job
- c:\docume~1\draperi\datiap~1\stylec~1\funk hide shim.exe []

2008-10-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe [2008-10-21 11:02]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-RemoteCenter - C:\Programmi\Creative\MediaSource\RemoteControl\RcMan.exe
HKCU-Run-Surfbyte - C:\DOCUME~1\Draperi\DATIAP~1\STYLEC~1\JumpCake.exe
HKCU-Run-MsnMsgr - C:\Programmi\MSN Messenger\MsnMsgr.Exe
HKCU-Run-RemoteControl - (no file)
HKLM-Run-Noun Date Rule Axis - C:\Documents and Settings\All Users\Dati applicazioni\blue shim axis memo\Fork manager file.exe
HKLM-Run-RemoteCenter - (no file)
HKLM-RunServices-SchedulingAgent - C:\WINDOWS\system32\mstask.exe

.
------- Supplementare di scansione -------
.
FireFox -: Profile - C:\Documents and Settings\Draperi\Dati applicazioni\Mozilla\Firefox\Profiles\wakpgd6u.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.it/
FF -: plugin - C:\Programmi\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\NPJava131_13.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\npoji600.dll
FF -: plugin - C:\Programmi\Mozilla Firefox\plugins\nprinera-1.4.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 17:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3360pr]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\rphosj.sys"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programmi\File comuni\McAfee\HackerWatch\HWAPI.exe
C:\Programmi\MUSICMATCH\MMDiag.exe
C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\SiteAdvisor\6173\SAService.exe
C:\Programmi\MUSICMATCH\mim.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2008-10-22 18:09:20 - macchina è stato riavviato [Draperi]
ComboFix-quarantined-files.txt 2008-10-22 16:08:51

Pre-Run: 8,304,844,800 byte disponibili
Post-Run: 8,126,509,056 byte disponibili

307 --- E O F --- 2007-07-11 12:03:15

Inviato: **mer ott 22, 2008 10:20 pm**

Questo file C:\setup95.exe e queste cartelle C:\c851 e C:\d13a sai cosa sono?

Adesso copia le seguenti righe su blocconote e salva il file in C:\ con il nome delete.reg (assicurati di aver spuntato la voce Tutti i file prima di salvarlo).

Codice: Seleziona tutto: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4de9dcbd-759e-11dd-971d-00265415074e}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b443fa5-6f23-11dd-970c-00265415074e}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{837c0810-914c-11dd-b13f-00265415074e}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b41c3aec-c356-11dc-961f-00265415074e}]

Poi scarica The Avenger, estrailo in una cartella ed avvia il file avenger.exe.
Incolla il seguente spript nello spazio bianco sotto alla voce Input script here, togli la spunta alla voce Scan for rootkits e clicca su Execute.

Codice: Seleziona tutto: Files to delete: C:\WINDOWS\QTFont.qfn C:\WINDOWS\QTFont.for C:\Documents and Settings\Draperi\hkrahcbw.exe C:\Documents and Settings\Draperi\qhcejbeb.exe C:\WINDOWS\{4E325F25-7691-4B9C-A297-B9E8A5DB2AD4}.dat C:\WINDOWS\system32\{EDBA4E81-71F5-43D0-955F-61020DA7C43C}.dat C:\WINDOWS\system32\drivers\deshwqj.sys C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe H:\lsdsa.exe H:\vbpso.cmd H:\xhqiss.pif H:\kcifeb.pif C:\WINDOWS\Tasks\ACE81839942F8AA5.job c:\docume~1\draperi\datiap~1\stylec~1\funk hide shim.exe C:\DOCUME~1\Draperi\DATIAP~1\STYLEC~1\JumpCake.exe C:\Documents and Settings\All Users\Dati applicazioni\blue shim axis memo\Fork manager file.exe C:\WINDOWS\system32\drivers\rphosj.sys Drivers to unload: eisxtqho cryptex asc3360pr Registry keys to delete: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3360pr Programs to launch on reboot: delete.reg

Il pc dovrebbe riavviarsi, se così non fosse, riavvialo manualmente.
Al riavvio dovrebbe apparire il log avenger.txt, posta qui il suo contenuto.

Dopo aver eseguito Avenger rifai la scansione con Combofix ed allega qui il nuovo log.

Inviato: **gio ott 30, 2008 7:37 pm**

Scusa se ci ho messo così tanto a rispondere ma è che dovevo finire dei lavori col pc e non volevo rischiare di bloccarlo del tutto. La situazione però è peggiorata, il computer si blocca di continuo e mi sembra che stia per colare a picco...

Comunque.

Ho provato a fare ciò che mi hai consigliato ma quando ho premuto "Execute" su Avenger mi è apparsa un'altra simpatica finestra con sù scritto:

"L’editor dei registri è stato disattivato dall’amministratore del sistema."

Poi ha fatto comunque qualcosa, l'ho riavviato, ma non è comparso nessun log, bensì un messaggio di errore che mi diceva che non trovava il file delete.reg (e l'avevo messo te l'assicuro).
A questo punto non ho più fatto il Log con ComboFix perché mi sa che non ho cambiato nulla... perlopiù non so cosa siano quei file che mi hai chiesto...

Non so che fare.

Inviato: **gio ott 30, 2008 9:17 pm**

Ok, proviamo diversamente.
Chiudi tutte le applicazioni attive, soprattutto antivirus, disconnettiti da internet ed esegui con Avenger questo script di prima , leggermente modificato.

Codice: Seleziona tutto: Files to delete: C:\WINDOWS\QTFont.qfn C:\WINDOWS\QTFont.for C:\Documents and Settings\Draperi\hkrahcbw.exe C:\Documents and Settings\Draperi\qhcejbeb.exe C:\WINDOWS\{4E325F25-7691-4B9C-A297-B9E8A5DB2AD4}.dat C:\WINDOWS\system32\{EDBA4E81-71F5-43D0-955F-61020DA7C43C}.dat C:\WINDOWS\system32\drivers\deshwqj.sys C:\WINDOWS\downlo~1\4bf69lm\6sq5qyhp.exe H:\lsdsa.exe H:\vbpso.cmd H:\xhqiss.pif H:\kcifeb.pif C:\WINDOWS\Tasks\ACE81839942F8AA5.job c:\docume~1\draperi\datiap~1\stylec~1\funk hide shim.exe C:\DOCUME~1\Draperi\DATIAP~1\STYLEC~1\JumpCake.exe C:\Documents and Settings\All Users\Dati applicazioni\blue shim axis memo\Fork manager file.exe C:\WINDOWS\system32\drivers\rphosj.sys Drivers to unload: eisxtqho cryptex asc3360pr Registry keys to delete: HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3360pr

I log di Avenger puoi trovare in C:\Avenger\

MegaLab.it

Ho preso Bagle? Aiuto con lo script per Avenger

Ho preso Bagle? Aiuto con lo script per Avenger

Re: HO PRESO UN BEL VIRUS BAGLE

Re: HO PRESO UN BEL VIRUS BAGLE

Re: HO PRESO UN BEL VIRUS BAGLE

Re: Ho preso Bagle? Aiuto con lo script per Avenger

Re: Ho preso Bagle? Aiuto con lo script per Avenger

Re: Ho preso Bagle? Aiuto con lo script per Avenger

Re: Ho preso Bagle? Aiuto con lo script per Avenger